Chao Zou Dept. of Electrical and Computer Engineering Michigan Technological University, Houghton, USA {czou@mtu.edu} Chunxiao Chigan Dept. of Electrical and Computer Engineering Michigan Technological University, Houghton, USA {cchigan@mtu.edu} Abstract—Cognitive radio (CR) technology enables the unlicensed user to access the spectrum holes left by the licensed user (LU), subjecting to a basic requirement of no interference on the active LUs. Nevertheless the LU protection can be misused by malicious CRs through emulating LUs. Observing that the real protection object is the licensed receiver (LR) rather than the licensed transmitter (LT), the research of licensed user emulation attack is dedicated to its genuine form, LR emulation (LRE) attack. Based on the analysis on all possible defense schemes, a digital signature based LRE defense system in the simplex licensed network (SLN) environment is proven practical. The defense mechanism is composed of signature design for LR authentication, as well as the design of public key infrastructure (PKI), used for the distribution of certificates for the LR signatures. With the aim to minimize the communication cost for maintaining the PKI, we propose a certification tree with LR ramification (CTLR) mechanism for certificate request and reply. Keywords—Licensed receiver emulation, licensed receiver detection, cognitive radio network, certification tree I. INTRODUCTION The demand for spectrum is ever increasing nowadays; nevertheless most spectrum bands allocated to legitimate users with spectrum licenses is sparsely used in the time domain. Cognitive radio (CR) [1] technology is a promising technique to enhance the spectrum utilization efficiency by enabling the unlicensed user to access the spectrum when the licensed user (LU) is not active. Therefore the most basic requirement for CRs is they cannot interfere with active LUs. Nevertheless, the basic principle of licensed user protection can be easily misused by malicious CRs: they can pretend as licensed users to keep other benign CRs from accessing the spectrum freed by real licensed users, called as licensed user emulation attack. This attack was first discovered in 2005 [2] and later researchers proposed defense utilizing radio channel characteristics [3-4] for thwarting this attack in TV network environment. In [3-4], the attack was considered in the form of fabricating licensed transmitter’s signal (TV signal). Nevertheless, in the TV network, CRs only concern whether there is TV set nearby and whether the TV set is ON to make sure the transmission won't interfere with the reception of the TV set. Therefore, CRs do not care whether the TV signal is sensed. Indeed, most TV towers transmit 24 hours a day, which means CRs incessantly sense TV signal in the TV network and hence forging TV signal becomes meaningless for the attacker. Indeed, the protection object of CRNs should always be the licensed receiver (LR) rather than the licensed transmitter (LT). Hence, only when the attackers can successfully deceive the benign CRs into believing they are LRs, can the attack take effect. To our best knowledge, due to pervasive ignorance to different roles of licensed transmitter and receiver for CRNs, there is no work dedicated to the research of licensed receiver emulation (LRE) attack, which is the genuine form of licensed user emulation attack. Before investigating the LRE attack, we first systematically analyze the LR detection methods, as illustrated in the next section. II. LR DETECTION METHODS There has been a plethora of research dedicated to the licensed user detection based on licensed signal sensing, including matched filter detection, energy detection and cyclostationary feature detection [5-9]. These signal sensing based methods follow a common prescription, that is, when the signal from LT is sensed, CRs should give up transmission. However, as analyzed before, the existence of LTs’ signal can never necessarily indicate the reception activity of LRs in the same area. For a simplex licensed network (SLN), i.e. any communication device in the network can only transmit or only receive, the LR can never transmit and hence the licensed signal sensing based LR detection is rather ineffective, which will be illustrated in the simulation in section V.A. Only for a full duplex licensed network (DLN), i.e. any communication device in the network can both transmit and receive, the licensed signal sensing based LR detection may be practical. Noticing the difference between SLN and DLN, we proposed LR detection methods for the two types of licensed network (LN). For a SLN such as a TV network, no signal is from the LR; hence there is no other way for CRs to detect LRs but through the aid of additionally deployed sensors, namely aided LR detection, as shown in figure 1. The aiding sensors can ascertain activities of LRs by detecting the leaked power from LRs' local oscillators (LO) when LRs are active [10]: In order to Licensed Receiver Detection and Authentication in Simplex Licensed Networks Fig. 1 Coexistence of LNs and CRNs This material is based upon work supported by the National Science Foundation Grant CNS-1017887. IEEE International Workshop on Recent Advances in Cognitive Communications and Networking 978-1-4673-0040-7/11/$26.00 ©2011 IEEE 924